2015-01-20 - BBVA BANCOMER PHISHING EMAILS

ASSOCIATED FILES:

• ZIP - PCAP from today's Word document downloading an EXE:  2015-01-20-phishing-email-word-document-downloads-malware.pcap.zip
• ZIP - PCAP on the post-infection traffic from the EXE:  2015-01-20-phishing-email-post-infection-traffic.pcap.zip
• ZIP - associated malware:  2015-01-20-phishing-malware.zip
• ZIP - 2015-01-16 email with headers:  2015-01-16-phishing-email.txt.zip
• ZIP - 2015-01-19 email with headers:  2015-01-19-phishing-email.txt.zip
• ZIP - 2015-01-20 email with headers:  2015-01-20-phishing-email.txt.zip

 

NOTES:

• Since 2015-01-16, we've seen eight of these phishing emails.
• Although these emails are Spanish, they were not sent to any Spanish or Latin American recipients.
• From our end, the recipients were publicly-known English language email addresses.

 

EXAMPLE OF THE EMAILS

SCREENSHOTS:

 

NOTE: The message from 2015-01-19 was the same as 2015-01-16, but had a different Word document.

 

 

MESSAGE TEXT EXAMPLE - 2015-01-16 AND 2015-01-19:

Reply-To: <altainterban@serviciobancomer.com>
Date: Monday, January 19, 2015 at 6:54 AM CST
Subject: Aviso - Registro de Cuenta Interbancaria

BBVA Bancomer

Te informamos que se ha efectuado un registro de cuenta Interbancaria en tu servicio de Banca electrónica, la información detallada se encuentra en el documento anexado en este correo. A continuación un resumen de la operación:

Fecha y hora de registro:   15 DE ENERO DE 2015
Folio de registro:   0032736009
Si requieres más información comunícate a Línea Bancomer al 01800 2262554 Larga distancia sin costo o al 5226 2104 desde la Cd. De México.

Este correo electrónico constituye una notificación de los términos en que se realizó la operación, el único comprobante oficial es el estado de cuenta que emite BBVA Bancomer.

BBVA Bancomer, S.A. Institución de Banca Múltiple, Grupo Financiero BBVA Bancomer

Es Sencillo, Rápido y Seguro.
Esta notificación se hace con fundamento en lo dispuesto por el art. 311 fracción segunda y 314 de las Disposiciones de Carácter General aplicables a las instituciones de Crédito.

 

MESSAGE TEXT EXAMPLE - 2015-01-20:

From: "Bancomer.com Otros Bancos4" <alertaid@serviciobancomer.com>
Reply-To: <alertaid@serviciobancomer.com>
Date: Tuesday, January 20, 2015 at 8:52 AM CST
Subject: Transferencia Interbancaria Banca en Línea

Le informamos que le fue enviada una Transferencia interbancaria a cuenta de cheques/ahorro, bajo las siguientes condiciones.

Importe   $13,475.00
Fecha de operación   20/01/2015
Forma de depósito   MISMO DÍA (SPEI) Referencia Numérica   270514
Folio Internet   0075426011

La información detallada de la transferencia se encuentra en el archivo adjunto en este correo.

(Para ver el archivo adjunto debes tener instalado Microsoft Word)

Este correo constituye sólo una referencia de los términos en que se realizó la operación, el único comprobante oficial es el estado de cuenta de cheques que emite el GFBBVA Bancomer, S.A.

 

PRELIMINARY MALWARE ANALYSIS

EMAIL ATTACHMENT - 2015-01-16:

File name:  Detalle_AltaInterban.doc
File size:  536.5 KB ( 549376 bytes )
MD5 hash:  fb08fc5b422699e2a71cc5de5b3729ac
Detection ratio:  25 / 57
First submission:  2015-01-16 09:48:31 UTC
VirusTotal link:  https://www.virustotal.com/en/file/cef49e3ef4d810e21497d4c6ed8fa95f4c5467ef35cce1f7ee9a7f28bb551e09/analysis/

 

EMAIL ATTACHMENT - 2015-01-19:

File name:  Detalle_AltaInterban.doc
File size:  558.5 KB ( 571904 bytes )
MD5 hash:  f6881feb9c4048517f911c7ef9646842
Detection ratio:  13 / 57
First submission:  2015-01-19 10:56:09 UTC
VirusTotal link:  https://www.virustotal.com/en/file/474b3b01c90b4c4eb10cbffae917c20a0da570f5ae0f8814b6cadf48da7f0c55/analysis/

 

EMAIL ATTACHMENT - 2015-01-20:

File name:  Transferencia_Interbancaria.doc
File size:  558.5 KB ( 571904 bytes )
MD5 hash:  285a97a0a7adb4e7e97e6927009ebc33
Detection ratio:  10 / 57
First submission:  2015-01-20 11:57:55 UTC
VirusTotal link:  https://www.virustotal.com/en/file/48791c0ea6c3d34d267452bf32cbe8346d9d29ebd48f0b323cd811d952d4febd/analysis/

 

EXE DOWNLOADED BY THE 2015-01-20 WORD DOCUMENT:

File name:  ss.exe  (stored on the infected host as 33.EXE)
File size:  197.0 KB ( 201728 bytes )
MD5 hash:  85a7dd41140f87fc0e3e455dcb95a00b
Detection ratio:  4 / 57
First submission:  2015-01-20 18:17:38 UTC
VirusTotal link:  https://www.virustotal.com/en/file/a296b4ffbb424f5aa11d62bcb295c798c32322c85daf9337b1d2e63f4b5f6b15/analysis/
Malwr link:  https://malwr.com/analysis/YzYwMzQyMzk3YWEyNGFlMjhhOTgwYjlmMGQwN2YyMWI/

 

FOLLOW-UP MALWARE DOWNLOADED DURING THE POST-INFECTION TRAFFIC:

File name:  z7.exe (stored on the infected host as 9.tmp.exe)
File size:  956.0 KB ( 978944 bytes )
MD5 hash:  a752bedbbf6b73e52e2d7f8f3cd6a227
Detection ratio:  4 / 57
First submission:  2015-01-20 18:13:42 UTC
VirusTotal link:  https://www.virustotal.com/en/file/98589d73e06c0587d5e3463146b01f4f47072a68f6ce4ae033de1013a4c1de86/analysis/
Malwr link:  https://malwr.com/analysis/NGJmZjFiNWU5MDgwNDhkZTliNmE0NTUyMjQzMmYzOTc/

 

INFECTION TRAFFIC

ASSOCIATED DOMAINS:

• 192.185.183.126 - cliomars.com - 2015-01-16 and 2015-01-19 Word documents' callback domain for EXE file
• 192.185.183.121 - e-trebol.com - 2015-01-20 Word document's callback domain for EXE file
• 104.171.118.144 - sinpp.su - Post-infection callback
• 69.31.136.17 - fs03n4.sendspace.com - Post-infection request for another EXE file

 

SANDBOX ANALYSIS OF FIRST TWO WORD DOCUMENTS:

• 2015-01-16 11:24:41 UTC - cliomars.com - GET /error/ss.exe
• 2015-01-19 14:03:20 UTC - cliomars.com - GET /error/ss.exe

 

RUNNING THE 2015-01-20 WORD DOCUMENT ON A VM:

• 2015-01-20 21:25:18 UTC - e-trebol.com - GET /404/ss.exe

 

FINALLY GOT THE DOWNLOADED MALWARE TO RUN ON ANOTHER HOST:

• 2015-01-20 22:09:12 UTC - www.msn.com - GET /
• 2015-01-20 22:09:31 UTC - www.adobe.com - POST /
• 2015-01-20 22:09:35 UTC - www.adobe.com - POST /
• 2015-01-20 22:09:38 UTC - www.adobe.com - POST /
• 2015-01-20 22:09:42 UTC - www.adobe.com - POST /go/flashplayer_support/
• 2015-01-20 22:09:46 UTC - go.microsoft.com - POST /fwlink/?LinkId=96416
• 2015-01-20 22:09:50 UTC - www.microsoft.com - POST /management
• 2015-01-20 22:09:53 UTC - sinpp.su - POST /store/
• 2015-01-20 22:09:56 UTC - support.microsoft.com - POST /
• 2015-01-20 22:10:00 UTC - www.adobe.com - POST /
• 2015-01-20 22:10:04 UTC - go.microsoft.com - POST /fwlink/?LinkId=98075
• 2015-01-20 22:10:07 UTC - www.microsoft.com - POST /management
• 2015-01-20 22:10:11 UTC - sinpp.su - POST /store/
• 2015-01-20 22:10:15 UTC - fs03n4.sendspace.com - GET /dlpro/2cecac96b40517083ff1eb9399a0ff00/54be710f/nhkub2/z7.exe
• 2015-01-20 22:10:17 UTC - sinpp.su - POST /store/
• 2015-01-20 22:10:19 UTC - sinpp.su - POST /store/
• 2015-01-20 22:10:30 UTC - sinpp.su - POST /store/

 

SNORT EVENTS

Signature hits noted from the Emerging Threats and ETPRO rulesets on Security Onion (not counting ET POLICY or ET INFO events):

• ET CURRENT_EVENTS Terse alphanumeric executable downloader high likelihood of being hostile (sid:2019714)

 

Signature hits noted from the VRT/Talos ruleset from Snort 2.9.7.0 on Debian 7:

• [1:27721:3] INDICATOR-COMPROMISE Suspicious .su dns query
• [1:11192:16] FILE-EXECUTABLE download of executable content
• [1:15306:18] FILE-EXECUTABLE Portable Executable binary file magic detected

 

FINAL NOTES

Once again, here are the associated files:

• ZIP - PCAP from today's Word document downloading an EXE:  2015-01-20-phishing-email-word-document-downloads-malware.pcap.zip
• ZIP - PCAP on the post-infection traffic from the EXE:  2015-01-20-phishing-email-post-infection-traffic.pcap.zip
• ZIP - associated malware:  2015-01-20-phishing-malware.zip
• ZIP - 2015-01-16 email with headers:  2015-01-16-phishing-email.txt.zip
• ZIP - 2015-01-19 email with headers:  2015-01-19-phishing-email.txt.zip
• ZIP - 2015-01-20 email with headers:  2015-01-20-phishing-email.txt.zip

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.